[Pkg-utopia-maintainers] Bug#1132943: CVE-2026-34078: Sandbox escape involving symlinks passed to flatpak-portal
Simon McVittie
smcv at debian.org
Sat Apr 11 17:40:29 BST 2026
On Sat, 11 Apr 2026 at 16:52:07 +0100, Simon McVittie wrote:
>Strictly speaking this is a regression, but I'm fairly sure it's
>harmless: see https://github.com/flatpak/flatpak/issues/6608 for
>analysis.
I don't intend to respin the 1.16.6-1 upload or its 1.16.6-1~deb13u1
backport for this, unless the security team feels particularly strongly
about it, but I proposed a fix upstream. (A minimal fix would be to
ignore the error, but in fact the function emitting the warning is a
near-duplicate of an existing utility function, so I did some
deduplication.)
smcv
More information about the Pkg-utopia-maintainers
mailing list